Introduction
Recently there has been a wave of DNS hijacking attempts across multiple dApps and public RPC endpoints for entire blockchains. The financial consequences of these events has been nearly zero and they certainly do not compare to some of the recent high profile exploits that have taken place within DeFi and beyond. Exploits of the traditional variety (bridge hacks, flash loan and other economic attacks, social engineering and theft, etc) have been taking place since the dawn of crypto and any rational participant will tell you that they expect these occurrences to both continue and increase in severity. The more capital that’s locked up in a smart contract, the more incentive bad actors have to attack it. But exploits of the traditional variety are not what is most concerning to me. The wave of DNS exploits reveal a playbook for our adversaries that could effectively stop some projects in their tracks if not avoided.
Progressive Decentralization
Decentralization is difficult. It can only be achieved alongside significant economies of scale; in other words, without lots of people using/interacting with your product simultaneously, it is impossible for it to become decentralized. Turtles after hatching must crawl, defenseless and exposed, across the beach before reaching the ocean. Many are eaten by gulls and foxes along the way. Likewise, dApps must traverse the chasm of centralization, exposed to hackers and law enforcement, before reaching a state of use that is decentralized enough to protect them.
Once in the ocean of decentralization a dApp is free to do what it pleases. The most power crazed unelected government official can’t regulate the platform away. The most savvy hacker cannot fully take down the system (assuming it is well-designed). But no dApps have yet gotten to this point- all have some degree of key-man risk, alongside a dependence on a number of centralized services to keep them running.
Deploying smart contracts only goes so far in terms of decentralization. While they cannot be changed or shut off, there are a number of other parts that must be included alongside a smart contract in order for it to be useful. Recently, it has been frontends that come under attack.
On Public Goods
Becoming a public good is a stated goal of particular class of DeFi applications. Namely Gitcoin, ENS, and Uniswap. I classify these projects together because their leadership generally follows a few of the same principles:
- Non-revolutionary: tokenomics, product offerings, and philosophy must not destabilize or agitate the wider status quo. Regulators must be respected and welcomed.
- Conservative: protocol upgrades and changes must be executed slowly to avoid mistakes.
- Inclusive: priority is given to enfranchise as many users as possible.
These tenets seem to have lead to all three of these protocols becoming so normalized that they are taken for granted. While other projects continue to push the farthest frontiers of what one can do with crypto, the aforementioned projects have become more of a fact of life to the average crypto user. The conservative projects can at least call themselves public goods, but what is to happen if their key leaders are arrested? And what happens in one the below images replaces the content that their domain name resolves?
I’m not convinced a public good is really a public good if a handful of ddos attacks and subpoenas could render it unusable. The recent DNS attack on Polygon and Fantom seems to have been perpetrated by a lower-level hacker/group, based on what they did once they got the DNS:
Today a garden variety scam bot operator got an opportunity of a lifetime and wasted it using the same grift that thousands of others attempt every day. Maybe he walked away with a few thousand MATIC and FTM tokens, but I highly doubt anyone was seriously effected. But we need to assume that the next round of attacks like this will come from the CIA, SEC, IRS and North Korea. These attackers have far more sophistication and much darker motives. My hope is that solutions for the many non-smart contract weak points that dApps possess are mitigated as more decentralized tech comes to market.
Weak Points
Domains
Domain hijacking is a serious issue for all types of websites. Changing the content that a particular DNS name resolves to something different poses a huge risk. The worst part is that it doesn’t matter how savvy or ‘crypto-native’ you are, if you weren’t informed of the hijack before accessing the site, you would have no idea (its easy to copy-paste html).
I was once the victim of a DNS hijack in 2016. The only reason why this particular website set me off was because of the live price ticker for [redacted] in the bottom corner. The numbers were clearly stale. Unfortunately, I had already used the site to transact in [redacted] and the funds were gone. Not a devastating loss but annoying nonetheless.
Recently DeFi Saver, Ribbon Finance, Convex and a few others were victims of a DNS hijack attack via Namecheap. Their use of centralized domain registrars, although convenient, was instrumental in someone being able to take over their accounts. Thankfully this was noticed quickly and did not effect too many users. Despite this the threat was a potent one, being one of the rare occurrences where a DeFi exploit effects multiple unrelated protocols at the same time.
Technology like Handshake fixes this. Rather than getting a domain from a centralized provider Handshake handles its root naming system with a decentralized peer to peer network. No email based accounts, no 2fa. Solutions like these have been being built for years and are incredibly complicated. Soon enough, however, they will be ready for prime time. dApps ought to lead the way in adopting decentralized services to mitigate these risks.
Frontends
Frontends are the most dangerous part of any dApp. The frontend contains the javascript and html that your browser renders for you. It is the code that you interact with to send messages back and forth to the smart contracts via your wallet provider. dApps don’t need frontends to work; you could always opt to interact directly with the smart contract by constructing your own transactions; whether through one’s own full node or via a service like Etherscan.
In the same way that you don’t need a GUI to use a computer (you could just use the terminal), most people choose not to do this. Its inconvenient and increases the chances of you making a mistake. Frontends will thus always be a problem. Uniswap chose in 2021 to censor its frontend in response to what was likely government saber rattling over synthetic assets.
This made the need clear for a multi-frontend architecture, which sadly most protocols have chosen to not implement (including Uniswap). Liquity stands out as an example of a project that actively encourages users to host alternative frontends. Until the web stack fully decentralizes; including storage, CDN, domains, load balancing, etc, frontends will have to be delivered at least in part through centralized rails. Having multiple frontends creates a game of whack-a-mole that prevents any attacker from ever taking down the entire operation.
RPC Endpoints
Satoshi envisioned a world in which people ran their own nodes. At the very least, they could maintain light clients to at least receive block headers from the network. This way, each individual is broadcasting their own transactions to their own set of peers. Essentially what a p2p network is supposed to look like.
Today we know that most people have never run a node and never will. The size of Bitcoin and Ethereum’s chain state has grown faster than the rate at which CPU power and storage have come down in price. Therefore the cost to maintain full nodes has risen over time. In addition there are now dozens of networks a user may want to interact with. Staying up to date with consensus for each becomes increasingly difficult each day.
Thus node provision has consolidated into a few providers. Having just a few providers has periodically hurt user experience due to downtime (most recently Optimism and Arbitrum have both experienced issues). More providers and decentralized networks like Pocket fix this. Eventually dependency on common links can be broken, reducing risks to users and increasing scalability of networks. Attacks on RPC endpoints may be unsophisticated today but that gives no guarantee about tomorrow. Individual users must arm themselves with backup links to be ready.
Overall I don’t expect the masses to start running nodes. Its expensive, time consuming, annoying, and hard to understand. There may come a time, far into the future, where nodes are optimized to an extent that they just run in the background of all the machines we own. But until then emphasizing private RPC use is the most feasible solution.
Governance and Social Engineering
Pure governance attacks have happened in the past (see my coverage of how some have used flash loans to attack governance in my last piece here) but there are some tried-and-true methods to avoid them. Namely, deposit lockups and waiting periods. The idea is to prevent token acquisition and voting to occur at the same time or in the same block. These systems, however, change incentive alignment and introduce complexity. These are often necessary early on but can be replaced later. As I argued before, the best governance is none at all.
Social engineering attacks fall in the same category because they will typically target core team members or influential community members. Once compromised, the implicit trust these people are given can be used to cause a lot of damage. It is well known that North Korean linked Lazarus group has attacked crypto projects in the past. In addition, the Ronin bridge hack, which was one of the largest single hacks on record, was in part facilitated by a social engineering attack. These attack vectors only exist because of key man risk. Of course, a team is needed at some point to build a project. I am not suggesting that we could somehow cause a dApp to spawn ex-nihlo. What does concern me, however, are the aspirations of some to become career protocol politicians. We must be careful to maintain the awareness that human intervention will become redundant sooner rather than later.
Conclusion - What do?
Firstly, as an individual the best thing to do is minimize your own centralization dependence. The recent lending crisis underscores the importance of removing funds from any custodial service including exchanges and lenders. Using custom RPCs, either through infura, alchemy, pocket, or your own nodes, is also a good idea. Not only will this keep you safe from DNS attacks on public endpoints, but also allow you to keep transacting at times when public endpoints are being overloaded. RPC API overload is a common issue during times of increased network activity. Keep your funds anonymized. Use multiple wallets and try not to link them together. Make diligent use of alternate mixing strategies (Tornado cash users will likely never attain a reasonable social credit score, beware). Seek protocols that decentralize properly. “Do you want to make money or be right” is an unfortunate reality of crypto. The profit maximalist decision is not always the right decision. Everyone finds their own balance these two poles, in order to preserve their ideology while also making a nice return.
dApps and DAOs will continue to fall under different forms of attack as the space grows. Maintaining a united front towards decentralization is more important than ever. Despite the pop culture nonsense that has bled into crypto because of NFTs, the idea of crypto itself is still deeply ingrained with a revolutionary message. Thankfully degens of cryptoland move quicker than our enemies, so in all likelihood we reach the ocean of decentralization before the gulls eat us all as a snack. The future is bright for us and for our way of life. BULLISH.
Remember:
“The Times 03/Jan/2009 Chancellor on brink of second bailout for banks.”
Disclaimer: NFA DYOR. Stay Safe.